Soundness, Completeness and Non-redundancy of ... - Google Sites

Soundness, Completeness and Non-redundancy of Operational Semantics for Verilog based on Denotational Semantics Zhu Huibiao1 , Jonathan P. Bowen1 , and He Jifeng2? 1

Centre for Applied Formal Methods South Bank University, SCISM, 103 Borough Road, London SE1 0AA, UK Email: {huibiaz,bowenjp}@sbu.ac.uk URL: http://www.cafm.sbu.ac.uk/ 2

United Nations University, UNU/IIST, P.O. Box 3058, Macau, China Email: [email protected] URL: http://www.iist.unu.edu/ Abstract. This paper investigates three significant questions of Verilog’s operational semantics: soundness, completeness and non-redundancy. Our understanding for these three questions is denotational-based. We provide an operational semantics for Verilog and prove that our operational semantics is sound, complete and non-redundant.

1

Introduction

Modern hardware design typically uses a hardware description language (HDL) to express designs at various levels of abstraction. An HDL is a high level programming language, with usual programming constructs such as assignments, conditionals and iterations, and appropriate extensions for real-time, concurrency and data structures suitable for modelling hardware. Verilog is an HDL that has been standardized and widely used in industry [6]. Verilog programs can exhibit a rich variety of behaviours, including event-driven computation, shared-variable concurrency and simulator-based interpretation. The semantics for Verilog is very important because Verilog is widely used in industry. At UNU/IIST, the operational semantics has been explored in [1, 3, 4, 7]. Verilog’s denotational semantics [9] has also been explored based on the operational semantics using Duration Calculus [8]. We have already investigated the derivation of denotational semantics from operational semantics for Verilog [10]. We also derived the operational semantics for Verilog from its denotational semantics [11]. Regarding operational semantics, there are three typical questions we should face: (1) By which rule can we say our operational semantics is sound? (2) How can we guarantee our operational semantics is complete? (3) How can we say there will not be any redundant rules among all our transition rules? This paper considers the soundness, completeness and non-redundancy of operational semantics for Verilog. Our approach is denotational-based. An operational semantics is called sound if it is consistent with the denotational model that has already been formulated. Regarding the transition rules of an operational semantics, there may be too few transitions. The completeness of an operational semantics is to check if the ?

On leave from East China Normal University, Shanghai, China

transitions are sufficient. There may also be too many transitions in a transition system. Redundant rules may add new extra features to our language, but these features actually do not exist in our language originally. Therefore we want to detect and avoid these redundant rules in our transition system. This paper is organised as follows. Section 2 introduces the language and presents an operational semantics for Verilog. Assignment is regarded as an atomic action in this paper. Section 3 is devoted to the soundness of our operational semantics. We give a definition of the completeness and non-redundancy for operational semantics in section 4 and 5 respectively. The operational semantics for Verilog is proved to be sound, complete and non-redundant based on our denotational semantics. We give a brief introduction of our denotational semantics in the appendix. Our discussion for soundness, completeness and non-redundancy focuses on a narrow area, which is denotational-based. Therefore, soundness, completeness and nonredundancy in this paper is called D-soundness, D-completeness and D-non-redundancy respectively. Here, “D-” indicates our understanding for these three questions is based on denotational semantics.

2

Operational Semantics for Verilog

There are some previous work [1, 3, 4, 7] about operational semantics for Verilog, where assignment is not regarded as an atomic action in these previous work. Our operational semantics provided below treats assignment as an atomic action. 2.1

Syntax for Verilog

The language discussed in this paper is a subset of Verilog [6]. It contains the following categories of syntactic elements introduced in [2]. P ::= x := e | P ; P | if b then P else P | while b do P | c P | P k P c P denotes a timing controlled statement, and c is a time control used for scheduling. c ::= #n | @(η), where η ::= v |↑ v |↓ v Time delay #n suspends the execution for exactly n time units. n is treated as an integer in this paper. An event guard @(↑ v) is fired by the increase of the value of v, whereas @(↓ v) is triggered by a decrease in v. Any change of v awakes the guard @(v). To accommodate the expansion laws of parallel construct, the language is equipped with a hybrid control event @(g): g ::= η | g or g | g and g | g and ¬g and the guarded choice (@(g1 ) P1 )[] . . . [](@(gn ) Pn ) [9]. 2.2

Transition Types

There are two types of configuration: < P, σ, σ 0 > and < P, σ, ∅ > where: (1) the first component P is a program text representing the program that remains to be executed. (2) The second component σ indicates the initial state of an atomic action.

(3) When assignment is executed , σ and σ 0 identify the state changes within the assignment, where σ 0 represents the current state after the execution of assignment. If the third component is ∅, it means the previous atomic action ends and the new atomic action has not been scheduled. The transition rules for Verilog can be grouped into the following categories: T1 Instantaneous transition This type of transition models the execution of assignment. The new state contributed by assignment is stored in σ 0 . < P, σ, ∅ > −→ , where σ 0 = f (σ) T2 Time event transition (1) A transition can be fired by the sequential predecessor.

< P, σ, σ 0 > −→c Here c is the triggered condition. It has the form c(σ, σ 0 ), where σ and σ 0 are from −→c .

If −→ has no triggered condition, the triggered condition can be considered as true. (2) A transition can be fired by its parallel partner.

< P, σ, ∅ > −→c T3 Time advancing transition If process P cannot do any other transitions at the moment, time will advance. We regard the unit of time advancing is 1. 1 < P, σ, ∅ > −→ 2.3 Operational Semantics for Verilog Assignment x := e can be scheduled at once. It can also allow the environment to do some atomic actions. Assignment cannot let time advance. T1 < x := e, σ, ∅ > −→ < E, σ, σ[e/x] > (assign-1) where σ[e/x] is the same as σ except the value of variable x is now associated with the value e. T2

< x := e, σ, σ 0 >

−→

< x := e, σ 0 , ∅ >

(assign-2)

0

< x := e, σ, ∅ > −→ < x := e, σ , ∅ > (assign-3) Here “E” represents the empty process. The event guard @(g) can be immediately fired after it is scheduled to execute, it is actually triggered by the execution of its prior action. Another case is the guard waits to be fired by its environment. Time can also advance before the event becomes enabled. T2

−→ f ire(g) < E, σ 0 , ∅ > 0 σ 0 > −→ ¬f ire(g) < @(g), σ 0 , ∅ > ∅ > −→ f ire(g) < E, σ 0 , ∅ > ∅ > −→ ¬f ire(g) < @(g), σ 0 , ∅ > 1

< @(g), σ, σ 0 >

(guard-1)

< @(g), σ,

(guard-2)

< @(g), σ, < @(g), σ,

(guard-3) (guard-4)

T3 < @(g), σ, ∅ > −→ < @(g), σ, ∅ > (guard-5) Here, f ire(g)(σ, σ 0 ) is used to indicate the transition from state σ to state σ 0 can awake the guard @(g), where σ, σ 0 are from

−→ .

The transition rules for #n, sequential composition, conditional, iteration and guarded choice can be found in [12]. In order to let our operational model for P k Q be consistent with the denotational model, we add the virtual process f lash to the end of each component, i.e., we regard the behaviour of P k Q as that of (P ; f lash) k (Q; f lash). For f lash, its denotational semantics is briefly described in the appendix. Its operational semantics is as follows:

< f lash, σ, σ 0 > −→ < E, σ, ∅ > < f lash, σ, ∅ > can be regarded as < E, σ, ∅ >. Below are the transition rules for parallel process P k Q. T1

If one of them can perform an instantaneous action, the whole process can also make this transition. If < P, σ, ∅ > −→ , then −→ If < Q, σ, ∅ > −→ < Q0 , σ, σ 0 >, then −→ 

T2 (1) P k Q can perform a triggered action caused by its predecessor. 0 0 0 c1 and < Q, σ, σ 0 Q, σ, σ 0 > −→ c1∧c2 

If < P, σ, σ 0 > −→

c2

> −→

< Q0 , σ 0 , ∅ >

then and < Q, σ, ∅ > −→ c2 Q, σ, σ 0 > −→ c1∧c2 

If < P, σ, σ 0 > −→

< Q0 , σ 0 , ∅ >

then and 0 Q, σ, σ 0 > −→ c1∧c2 −→

c2

< Q, σ, σ 0 > −→

< Q0 , σ 0 , ∅ >

then (4) P k Q allows the environment to perform an atomic action. 0 0 c1 and < Q, σ, ∅ > −→ c2 Q, σ, ∅ > −→ c1∧c2 

If < P, σ, ∅ > −→

< Q0 , σ 0 , ∅ >

then and < E k P, σ, ∅ > as < P, σ, ∅ >. Hence, < E k E, σ, ∅ > is considered as < E, σ, ∅ >. T3 P k Q allows time to advance iff both components do so. 1 1 If < P, σ, ∅ > −→ and < Q, σ, ∅ > −→ < Q0 , σ, ∅ > 1 then −→ 2 We have formulated an operational semantics for Verilog. Next we use =⇒c to specify an atomic action. Definition 2.1 (Atomic action)

< P, σ, σ 0 > =⇒c < Q, σ 0 , ∅ > =df < P, σ, σ 0 > −→c < Q, σ 0 , ∅ > < P, σ, ∅ > =⇒c < Q, σ 0 , ∅ > =df < P, σ, ∅ > −→ ∧

 −→c < Q, σ 0 , ∅ > 2 0 The phase semantics of the atomic action < P, σ, ∅ > =⇒c < Q, σ , ∅ > is the sequential composition of the corresponding two phase semantics. In order to show the denotational-based soundness and completeness for Verilog op-

erational semantics in the next two sections, our discussion for parallel process P k Q under state will only focus on the atomic transition =⇒c . The predicate first par(< P, σ, ∅ >) indicates if the first transition for program P under < P, σ, ∅ > is caused by a parallel process; it is defined as follows: Definition 2.2 (first par) first par(< P, σ, ∅ >)  false, if P = x := e, @(g), #n     false, if P = (@(g1 ) P1 )[] . . . [](@(gn ) Pn )     if P = P1 k Q1  true, if P = P1 ; Q1 first par(< P1 , σ, ∅ >), =df   first par() b(σ) if P = if b then P1 else Q1  1    first par(< Q , σ, ∅ >),  1   b(σ) ∧ first par(< P1 , σ, ∅ >), if P = while b do P1 We use the following two programs to illustrate the function of first par. first par(< x := 1; @(↑ y), σ, ∅ >) = false, first par(< x := 1 k y := 1 ; @(↑ y), σ, ∅ >) = true. 2.4 Transition Condition and Phase Semantics The relationship between a transition and the variables in the denotational model can be described by the following diagram of an example transition, where the denotational model is briefly introduced in the appendix. ← − → − π2 (last( tr )) ttr2 π2 (last( tr )) ttr20 6 < P,

σ,

6

6

σ0 >

−→ c



We define a transition condition Condi,j and its corresponding phase semantics for each type of transition. Here Condi,j stands for the transition condition for the j-th transition of type Ti . T1 < P, σ, ∅ > −→ , where σ 0 = f (σ) → ← − − Cond1,1 =df tr = tr ∧ ttr = null ∧ ← − ← − ttr10 = π2 (last( tr )) ∧ ttr20 = f (π2 (last( tr )))

T2 (1) < P, σ, σ 0 > −→c Cond2,1 =df c(ttr1, ttr2) ∧ ttr 6= null ∧ ttr0 = null ∧ attach1, where: ←−− → ← − − ← − → ← − − attach1 =df tr = tr π2 (last( tr )) = ttr2 tr = trb < (time, ttr2, 1) >

(2) < P, σ, ∅ > −→c ← − → − Cond2,2 =df ttr= null ∧ ttr0 = null ∧ c(π2 (last( tr )), π2 (last( tr ))) ←−− → ← − − π1 ( tr − tr ) = time ∧ → ← − − ∧ tr = tr ∨ → ← − − π3 ( tr − tr ) = 0 The above two types of transitions have the instantaneous feature. The corresponding phase semantics of each transition can be expressed as Inst(Condi,j ), where Inst(X) =df H(true ` ¬wait0 ∧ δ(time) = 0 ∧ X )

1

T3 < P, σ, ∅ > −→ → ← − − Cond3,1 =df tr = tr ∧ ttr = null ∧ ttr0 = null Its phase semantics is: phase3 =df H(true ` Cond3,1 ∧ (δ(time) < 1 wait0 δ(time) = 1) )

3

Soundness

A model is called sound if it is consistent with another model that has already been formulated. For Verilog, as we have already formulated the denotational model, the correctness of operational semantics should depend on its consistency with our denotational model. Therefore our understanding of soundness for operational semantics is based on denotational analysis. First we introduce the notion of configuration condition. It links the configuration state with the denotational state. Definition 3.1 (Configuration Condition) Condition(< P, σ, σ 0 >) =df ttr 6= null Condition(< P, σ, ∅ >) =df ttr = null 2 Example 3.2: Consider the execution of x := e under state < x := e, σ, ∅ >. There are two execution branches from the state < x := e, σ, ∅ >. < x := e, σ, ∅ > −→ < E, σ, σ[e/x] > (1)

< x := e, σ, ∅ > −→ < x := e, σ 0 , ∅ > (2) On the other hand, from the denotational view, we can prove: Inst(Cond1,1 ) ; II ⇒ ttr = null ∧ x := e (3) Inst(Cond2,2 ) ; x := e ⇒ ttr = null ∧ x := e (4) Here Inst(Cond1,1 ) and Inst(Cond2,2 ) are the phase semantics of the above two transitions. We regard the denotational semantics of the empty process E as II. Therefore logical formulae (3) and (4) are consistent with transitions (1) and (2) respectively. This leads to the definition of soundness for operational semantics. 2 Definition 3.3 (Soundness) An operational semantics is considered sound, based on denotational semantics iff for any transition it satisfies

β

< P, α > −→ sem ; P 0 ⇒ Condition(< P, α >) ∧ P

(∗)

where: β (1) sem is the phase semantics of transition < P, α > −→ . (2) If < P, α > has the form < P, σ, σ 0 > OR < P, α > has the form < P, σ, ∅ > AND ¬first par(< P, σ, ∅ >), β

1

then −→ can be of the transition form −→, −→ c or −→. (3) If < P, α > has the form < P, σ, ∅ > AND first par(< P, σ, ∅ >), β

then −→ can only be of the atomic action transition =⇒c . Here, “⇒” represents logical implication. P and P 0 appearing in a configuration stand for the syntax, whereas P and P 0 in (∗) above stand for the denotational semantics. 2

Theorem 3.4: The operational semantics for Verilog that appeared in section 2.3 is sound. 2

4

Completeness

Although our transition system is proved to be sound, we still need to check if our transition rules are sufficient. If the transition rules for a language are insufficient, this may generate a new and unintended class of terminal state. Therefore, it is worthy to investigate if our transition rules for Verilog are sufficient. Our approach for completeness is also by denotational analysis. Example 4.1 (Incompleteness) There are five transition rules for event guard @(g) (see section 2.3). If we omit the time advancing rule for @(g) (guard-5), we may find that the rest of the rules for @(g) are not complete. Consider the case < @(g), σ, ∅ >. Originally we have: (sem2,3 ; II) ∨ (sem2,4 ; @(g)) ∨ (sem3,1 ; @(g)) = (ttr = null) ∧ @(g) Now we have (sem2,3 ; II) ∨ (sem2,4 ; @(g)) 6= (ttr = null) ∧ @(g). Here sem2,3 , sem2,4 and sem3,1 are the phase semantics of the three transitions (guard3, guard-4, guard-5) under < @(g), σ, ∅ > respectively. This inequation indicates the rest of the transition rules for @(g) after omitting guard-5 are not complete. 2 Example 4.2 (Completeness) There are three transition rules for assignment (see section 2.3, assign-1, assign-2, assign-3). From the denotational view, we can prove : (Inst(Cond1,1 ) ; II) ∨ (Inst(Cond2,2 ) ; x := e) = (ttr = null) ∧ x := e (3) Inst(Cond2,1 ) ; x := e = (ttr 6= null) ∧ x := e (4) Here Inst(Cond1,1 ), Inst(Cond2,1 ) and Inst(Cond2,2 ) are the phase semantics of transition assign-1, assign-2 and assign-3 respectively. These two equations indicate the transition rules at state < x := e, σ, ∅ > and < x := e, σ, σ 0 > are complete respectively. This comes to the definition of completeness based on denotational semantics.2 Definition 4.3 (Completeness of Transition Rules for Program) The transition rules for program P are called complete, based on denotational semantics iff for every configuration < P, α >, it should satisfy W = Condition(< P, α >) ∧ P i ( semi ; Pi ) where: βi (1) semi is the phase semantics of the transition < P, α > −→ < Pi , αi >. (2) If < P, α > has the form < P, σ, σ 0 > OR < P, α > has the form < P, σ, ∅ > AND ¬first par(< P, σ, ∅ >), βi

1

then −→ can be of the transition form −→, −→ c or −→. (3) If < P, α > has the form < P, σ, ∅ > AND first par(< P, σ, ∅ >), βi

then −→ can only be of the atomic action transition =⇒c . (4) i goes through all the transitions of process P under state < P, α >. 2 Remark: The empty process E cannot do any transitions under state < E, σ, ∅ > ( or < E, σ, σ 0 > ). We will not discuss the completeness for transition rules of empty

process E. The following diagram illustrates our intuitive understanding for completeness. < P, α > XXX β XXβ 1 β XnX 2 XX 9 z X = < P1 , α1 >

< P2 , α2 > W

i(

......



semi ; Pi ) = Condition(< P, α >) ∧ P

Definition 4.4 (Completeness of Operational Semantics) An operational semantics is called complete if the transition rules for every program are complete. 2 Theorem 4.5: The operational semantics for Verilog that appeared in section 2.3 is complete. Proof Here we give the proof of completeness for the transition rules of assignment. We only consider x := e under state < x := e, σ, ∅ >. (Inst(Cond1,1 ) ; II) ∨ (Inst(Cond2,2 ) ; x := e) Def of Cond1,1 , assign = (ttr = null ∧ assign(x, e)) ∨ Def of Cond2,2 , PL ( Inst(Cond2,2 ) ; hold(0) ; assign(x, e) ) = (ttr = null) ∧ (hold(0) ; assign(x, e)) Def of x := e = (ttr = null) ∧ x := e For other statements, the proofs for the completeness of their transition rules are presented in [12]. 2

5

Non-redundancy

Although our transition system for Verilog has been proved to be sound and complete, there may be too many transition rules. Therefore, we need to check if there are some redundant rules in our transition system. Redundant rules may add new features to our language, which we do not want. These new features actually do not exist in our language originally. Therefore, redundant rules may cause conflict for our understanding of a language. The following approach is a way to test if there are some redundant rules in our transition system. Our approach is by denotational analysis. The transition rules for iteration are the same as the ones for conditional [12]. In the following discussion of non-redundancy we will omit iteration. We only focus on finite programs, but this does not mean our discussion loses generality. In the first part of this section, we use the logical point of view to consider the transitions of a program. We want to represent the operational semantics of program P as a logical formula O(P ) [10]. In the second part, we use the notation D(P ) to represent the denotational semantics for program P . We plan to prove D(P ) = O(P ), which can be considered as a way to test if there are no redundant rules for program P . 5.1 Logical Point of View for Operational Semantics Definition 5.1: A configuration < P, σ, σ 0 > (or < P, σ, ∅ > ) is called a divergent state if P can perform an infinite sequence of instantaneous transitions or self-triggered

transitions, i.e., there exists an infinite set {Di | i ∈ N at} of configurations such that D0 =< P, σ, σ 0 > (or < P, σ, ∅ > ), and for all i, • either Di −→ Di+1

• or Di =< Pi , σi , σi0 >, σi0 6= ∅, Di −→i ci Di+1 2 Definition 5.2: A computational sequence of program P is an empty sequence or any finite sequence leading P to the other state; that is: δ1 δn D0 −→ D1 . . . . . . −→ Dn δi where −→ (i = 1, . . . , n) can be an instantaneous transition (−→), a triggered transition

1

( −→ c ), or a time advancing transition (−→).

2 δi

If computational sequence seq is not empty, seq[i] is the i-th transition (Di−1 −→ Di ) of seq. We write cp[P ] representing the set which contains all the computational sequences leading program P to terminating state or divergent state. cp[P ]ter and cp[P ]div stand for the sets which contain all the sequences leading program P to the terminating and divergent states correspondingly. Therefore, we have cp[P ] = cp[P ]ter ∪ cp[P ]div . If a process terminates, its terminating state can be one of the following states: < E, σ, ∅ >, < E, σ, σ 0 > Definition 5.3: Let seq stand for a computational sequence of program P . Suppose len(seq) = n, sem(seq) is the semantics of the computational sequence seq, which can be defined as: If len(seq) = 0, then sem(seq) =df II. If len(seq) = 1, then sem(seq) =df sem1 . Otherwise sem(seq) =df sem1 ; . . . ; semn . semi is the phase semantics of the i-th transition (seq[i]) of the computational sequence seq. len(seq) indicates the length of the computation sequence, i.e., the number of transitions in the computation sequence. 2 Definition 5.4 (Operational Semantics from Logical Point of View) W W O(P ) =df seq∈cp[P ]div (sem(seq) ; ⊥) ∨ seq∈cp[P ]ter (sem(seq)). where, ⊥ =df H(false ` true), which is the bottom element of the complete lattice HF under implication order. Here HF is the set containing all heathy formulae. 2 5.2

Non-redundancy

Example 5.5: For assignment we originally have three transition rules (see section 2.3, assign-1, assign-2, assign-3). In the last two sections we have already proved that these transition rules are sound and complete. According to the logical point of view for operational semantics, we get the following result: D(x := e) = O(x := e) Now if we add another transition rule (assign-4) for x := e, we may find this rule is redundant. < x := e, σ, ∅ > −→ < x := e, σ, σ > (assign-4) We can prove that this new rule is also sound. The current transition rules for x := e (this newly added rule, together with its original three rules) are complete. But we find

that this new rule will cause problems by the following analysis. Let D2i+1 = < x := e, σ, ∅ > (i = 0, 1, 2, . . .) and D2i = < x := e, σ, σ > (i = 1, 2, 3, . . .). The sequence D1 −→ D2 −→ D3 −→ . . . indicates that< x := e, σ, ∅ > is a divergent state, which means ⊥ ⇒ O(x := e). As ⊥ is the bottom element of all healthy formulae (HF ), which indicates that O(x := e) = ⊥. But actually x := e has no divergent behaviour, and D(x := e) 6= ⊥. Assignment should satisfy D(x := e) = O(x := e) actually. This newly added rule (assign-4) makes O(x := e) different from D(x := e). 2 In our denotational model, the divergent part of the denotational semantics for program P stands for its divergent behaviour. As we only focus on finite programs in this subsection, which means we don’t have iteration in our syntax. We find that D(P )div = false for any program P . This means that there are no sequences leading program P to the divergent state, i.e., cp[P ]div = ∅. But if there are some redundant rules which make P have some divergent behaviour, then cp[P ]div 6= ∅. This means O(P )div 6= false, which also means D(P ) 6= O(P ). In order to link the transition rules with the denotational semantics and consider the denotational semantics as the starting point, we introduce O(P ), which is the logical point of view to characterise the operational semantics. If the transition system does not cause any extra new features, which do not exist in our language, O(P ) should be the same as D(P ) for any program P . Therefore, we use “D(P ) = O(P )” as the definition of the non-redundancy of a transition system. Definition 5.6 (Non-redundancy) An operational semantics is called non-redundant, based on denotational semantics iff D(P ) = O(P ), for any program P . 2 Theorem 5.7 If we exclude iteration in the syntax for Verilog, then D(P ) = O(P ), for any program P . 2 This theorem indicates the operational semantics for Verilog that appeared in section 2.3 (omitting iteration) is non-redundant. Our understanding for non-redundancy is denotational-based. The above approach is only a testing way to check if there are some redundant rules. That is, if D(P ) 6= O(P ), this means that there may be too many transition rules because our original rules are assumed to be sound and complete. Then we need to look at the transition rules of P carefully and discover the redundant rules.

6

Conclusion

This paper discusses three significant aspects regard to an operational semantics for Verilog: (1) soundness, (2) completeness, (3) non-redundancy. Our understanding for these three aspects is new, based on denotational semantics. Therefore, soundness, completeness and non-redundancy is called D-soundness, D-completeness and D-nonredundancy respectively. Here “D-” indicates our approach is denotational-based. We give definitions for these three concepts and prove that the operational semantics for Verilog presented in this paper is sound and complete. Our operational semantics can also be proved to be non-redundant if we omit iteration in our syntax.

The denotational-based understanding of these three questions can be regarded as a general approach. Our approach could also be applied to the operational semantics of other languages. The work presented in this paper can be regarded as the extension of unifying theories [5] for Verilog.

References 1. J. P. Bowen, He Jifeng and Xu Qiwen. An Animatable Operational Semantics of the VERILOG Hardware Description Language. Proc. ICFEM2000: 3rd IEEE International Conference on Formal Engineering Methods, IEEE Computer Society Press, pp. 199–207, York, UK, September 2000. 2. M. J. C. Gordon. The Semantic Challenge of Verilog HDL. Proc. Tenth Annual IEEE Symposium on Logic in Computer Science, IEEE Computer Society Press, pp. 136–145, June 1995. 3. He Jifeng and Xu Qiwen. An Operational Semantics of a Simulator Algorithm. Technical Report 204, UNU/IIST, P.O. Box 3058, Macau, China, June 2000. 4. He Jifeng and Zhu Huibiao. Formalising Verilog. Proc. IEEE International Conference on Electronics, Circuits and Systems, IEEE Computer Society Press, pp. 412–415, Lebanon, December 2000. 5. C. A. R. Hoare and He Jifeng. Unifying Theories of Programming. Prentice Hall International Series in Computer Science, 1998. 6. IEEE Standard Verilog Hardware Description Language. IEEE Standard 1364-2001 (Revision of IEEE std 1364-1995), 2001. 7. Li Yongjian and He Jifeng. Formalising VERILOG: Operational Semantics and Bisimulation. Technical Report 217, UNU/IIST, P.O. Box 3058, Macau, China, November 2000. 8. Zhou Chaochen, C. A. R. Hoare and A. P. Ravn. A Calculus of Durations. Information Processing Letters, 40(5):269–276, 1991. 9. Zhu Huibiao and He Jifeng. A Semantics of Verilog using Duration Calculus. Proc. International Conference on Software: Theory and Practice, pp. 421–432, Beijing, China, August 2000. 10. Zhu Huibiao, J. P. Bowen and He Jifeng. From Operational Semantics to Denotational Semantics for Verilog. Proc. CHARME 2001: 11th Advanced Research Working Conference on Correct Hardware Design and Verification Methods, Springer-Verlag, LNCS 2144, pp. 449– 464, Livingston, Scotland, UK, September 2001. 11. Zhu Huibiao, J. P. Bowen and He Jifeng. Deriving Operational Semantics from Denotational Semantics for Verilog. Proc. APSEC 2001: 8th Asia-Pacific Software Engineering Conference, IEEE Computer Society Press, pp. 177–184, Macau, China, December 2001. 12. Zhu Huibiao, J. P. Bowen and He Jifeng. Soundness, Completeness and Non-redundancy of Operational Semantics for Verilog based on Denotational Semantics (Extended version). Technical Report SBU-CISM-02-07, SCISM, South Bank University, London, UK, 2002.

Appendix Our denotational semantic model contains a variable tr to describe the behaviour of a process, which is composed of a trace of snapshots. A snapshot is used to specify the behaviour of an atomic action, and expressed by a triple (t, σ, µ), where: (1) t indicates the time when the atomic action happens; (2) σ denotes the final values of program variables at the termination of an atomic action; (3) µ is the control flag indicating which process is in control: µ = 1 states the atomic action is engaged by the process, whereas µ = 0 implies it is performed by the environment. The components of a snapshot can be selected using the projections:

π1 ((t, σ, µ)) =df t π2 ((t, σ, µ)) =df σ π3 ((t, σ, µ)) =df µ A pair of variable ttr =df (ttr1, ttr2) is introduced to model the change made by an atomic action, where ttr1 stores the initial state of an atomic action, ttr2 stores the current state after the execution of the atomic action. Below is a formal description of the variables used by our denotational semantic model: ←−− −−→ • time and time are the start point and the end point of a time interval over which the observation is recorded. We use δ(time) to represent the length of the time interval. −−→ ←−− δ(time) =df (time − time) ← − • tr stands for the initial trace of a program over the interval which is passed by → − → − its predecessor. tr stands for the final trace of a program over the interval. tr − ← − tr stands for the sequence of snapshots contributed by the program itself and its environment during the interval. • ttr and ttr0 stand for the initial and final value of the variable ttr which are used to store the contribution of an atomic action over the interval. • ok, ok 0 are boolean variables. ok = true indicates that the process has started, and ok 0 = true records the observation that the process has become stable. • wait, wait0 are boolean variables. wait = true indicates that the process starts in an intermediate state, and wait0 = true means the process is waiting. 2 The following definitions are very important in our semantic model: (1) Chop: → −−→ − P _ Q =df ∃t, s, tt, • P [s/ tr , t/time, tt/ttr0 ] ← − ←−− ∧ Q[s/ tr , t/time, tt/ttr] (2) Sequential composition: Let P and Q be formulae. Define P ; Q =df ∃w, o • ( P [w/wait0 , o/ok 0 ] _ Q[w/wait, o/ok] ) (3) Healthy formula: A formula is called a healthy formula if it has the following form. H(Q ` W wait0 T ) ← − → − where: (1) H(X) = II wait (X ∧ R1); (2) R1 =df tr tr ; (3) II is the unit of sequential composition; (4) P b Q =df P ∧ b ∨ Q ∧ ¬b; (5) P ` R =df (ok ∧ P ) ⇒ (ok 0 ∧ R) 2 Our denotational semantics of process P is described as: H(¬Pdiv ` Pwait wait0 Pter ) where, Pdiv , Pwait and Pter are the divergent, waiting and terminating behaviour of P respectively. Assignment is considered as an atomic action in this paper. The execution of x := e assigns the value e to x. x := e =df f lash ; hold(0) ; assign(x, e) where: • f lash adds to the trace a new snapshot (made by its prior atomic action). • hold(n) indicates that the execution is held for exactly n time units. • assign(x, e) models the updating incurred by the assignment. The definition for f lash can be found in [12]. The definitions for hold(n), assign(x, e) can be found in [10–12]. The detailed explanation of our denotational model can be found in [9–12].